Do My Security Controls Achieve Wireless PCI DSS?

Transcription

1 Do My Security Controls Achieve Wireless PCI DSS? Whitepaper

2 Whitepaper 2 The Cost of Non-Compliance The cost of non-compliance and gap remediation is something many retailers consider as they conduct their yearly PCI audit. Non-compliance fines can range anywhere from $5, ,000 per month depending on the card brand, the nature of non-compliance, and the number of incidents. On top of audit costs and non-compliance fines, the cost of remediating a breach can be expensive. According to InfoWeek s Dark Reading October 2014 article, It now takes a large organization an average of 31 days, at a cost of $20,000 per day, to clean up and remediate after a cyber-attack, with the total price tag for a data breach now at $640,000. And if those costs aren t formidable, consider the enduring negative impacts from bad publicity and waning customer loyalty on brand equity the retailer has spent a fortune building. If we take a look at the most recent high profile retail data breach, thieves stole 40 million credit and debit cards from Target between Nov. 27 and Dec. 15, And the impact was devastating. According to AdWeek, Target s massive data breach racked up 150 billion media impressions between December 2013 and July Given the media attention and feelings of mistrust, 35% of the retailer s customers changed their shopping behavior post-data breach (Source: BizRate Insights). A recent Forbes article estimated that Target s December 2013 data breach has cost the company $148 million in lost sales. Target eventually slashed its second quarter earnings per share guidance from $0.85-$1.00 to $0.78, citing the data breach as well as debt retirement expenses as primary reasons. Cost of Non-Compliance $5,000 - $200,000 Non-compliance fines per month (Depending on the card brand, the nature of non-compliance, and the number of incidents) If your business accepts payment cards, it needs to be PCI compliant to protect customer data. Wi-Fi is a common attack vector. Rising threat levels and new technologies that make networked devices more mobile and interconnected mean that your wireless networks must conform to PCI standards. Source: Focus on PCI The Cost of Remediation Impact of a cyber-attack 43M PwC detected 43 million security incidents in 2014, a CAGR of 66% since days Average Remediation Timeframe $20,000 Cost per day $640,000 Total price tag for a data breach 69% 69% of consumers are less likely to shop at an organization that has been breached Source: Dark Reading, October Source: Verizon 2015 PCI Compliance Report Target s Data Breach by the Numbers 40 million Number of credit and debit cards stolen from Target between Nov. 27 and Dec. 70 million Number of records stolen that included the name, address, address and phone number of Target shoppers 46 Percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before 200 million Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards 100 million Dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards Brand impact: Target s massive data breach racked up 150 billion media impressions between December and July (AdWeek) Loyalty impact: 35% of the retailer s customers have changed their shopping behavior post-data breach (BizRate Insights) Financial impact: Target estimated that its December 2013 data breach has cost the company $148 million in losses (Forbes)

3 Whitepaper 3 Impact of Latest Trends on Wi-Fi Security New ac standard creates security blind spots New high-performance ac standard creates security blind spots Compliance officers need to consider the adoption of the ac Wi-Fi standard and take an informed approach to securing against vulnerabilities in that spectrum. According to IDC s 2015 Wi-Fi shipment data, the ac standard continues to see adoption at a breakneck pace in the enterprise segment. The ac standard already accounts for 30% of access point shipments, representing a noticeably faster adoption rate than the a/b/g to n transition several years ago ac standard is also coming to consumer devices and anyone can buy an ac access point at a local Best Buy, creating a pool of potential rogue access points. Many merchants may be reluctant to invest in ac technology for their store networks due to limited capacities of their backhaul. However, the risk of not being able to detect and mitigate ac threats is real. From the standpoint of wireless intrusion prevention (WIPS), you need ac sensors to perform your wireless PCI compliance scanning n radios can only detect a subset of security threats in the ac spectrum. So if you have an aging n or earlier infrastructure, this is a strong reason to upgrade to ac technology. Best of all, this upgrade does not come at a CapEx premium as ac and n infrastructure are generally available at comparable pricing. 30% ac standard accounts for 30% of access point shipments* 11n radio cannot monitor 11ac frame formats! *Source: IDC Worldwide Quarterly WLAN Tracker, March infrastructure getting deployed today, having an expected lifespan of five to seven years, it is reasonable to expect it will be able to handle the increased demands of IoT-related apps and traditional network access concurrently, says Nolan Greene, Research Analyst with IDC s Network Infrastructure group. Internet of Things Becoming Reality 28B Mojo Networks is helping merchants prepare by scaling up network monitoring capabilities on its ac platform. It now has the ability to monitor 2000 active wireless devices per AP/ sensor, which is critical as industries of all kinds move into realms of wider connectivity. IDC predicts that 28 billion connected devices will exist by 2020 how will network and security professionals cope? IoT requires compliance officers to address both device volume and device diversity: THE INTERNET of THINGS Internet of Things is fast becoming a reality IDC predicts that 28 billion connected devices will exist by 2020 how will network and security professionals cope? Awareness around IoT continues to grow rapidly, even though full IoT reality is expected to come to fruition over the next several years. Still, with new network Device Volume Device Diversity System Scalability Operational Scalability

4 Whitepaper 4 Equally important is the capacity of Mojo Networks cloud management system to scale to hundreds of thousands of devices being monitored across multiple geographies and customers. This scalability is coupled with Mojo Networks patented ac WIPS technology, which allows for fully-automated 24X7 protection, with zero false positive / false negative operation. It requires no IT involvement for mitigation of wireless threats or compliance reporting. Mobile POS drives new requirements for Wi-Fi networks Point of sale systems are the lifeblood of any merchant s business. This is a well-established market and upgrade cycles can be long. However, adding mobile POS and prepping for EMV is pushing 47% of restaurants to look at POS upgrades, according to Hospitality Technology s POS Software Trend Report Restaurant operators are pragmatic, and rightfully expect that their wireless networks play multiple roles to justify the investment. Wi-Fi has to contribute to business efficiency, improve employee productivity, and play a role in customer engagement. The availability of complimentary Wi-Fi access is becoming an increasingly significant factor in consumers choice of restaurants, according to the food industry research and consulting firm Technomic. About 40% of participants Mobile Technologies Create NewRequirements for WiFi Networks 47% of restaurants are planning POS upgrades to add mobile POS and EMV* 40% * Source: Hospitality Technology s POS Software Trend Report in a recent study conducted by the company deemed free Wi-Fi an important or very important consideration in restaurant selection second only to whether an establishment includes such information as menus on its website, reports Hospitality Technology. These multi-function networks must be open enough to welcome guests, but also highly secure to protect your brand from data loss and breaches. Both openness and security are needed to achieve operators vision of digitally enabled restaurants and the two terms do not have to be a contradiction. Compliance officers can leverage WIPS technology to lock trusted devices to authorized networks and prevent them from joining neighboring access points. This keeps sensitive applications and data secure and prevents any wireless honeypot attacks. How to Leverage Technology to Lower the Barriers to Wireless Security Compliance officers are rightly concerned about human factors which can often be the soft underbelly of any security policy. To future-proof themselves against both inadvertent security lapses and malicious internal or external actions, merchants should consider solutions behaviorbased security, which includes: Consumers are becoming more mobile and want to pay and access the internet from anywhere. Businesses must protect these communications. of participants in a study conducted by Technomic deemed free Wi-Fi an important or very important consideration in restaurant selection** ** Source: Hospitality Technology, Restaurants Add Free Wi-Fi to the Menu Strong device behavioral analysis logic, since traditional signatures and threshold based security solutions can t catch up with the evolving monitoring scenarios. Fast response time to threats, to tackle the new and optimized attack and policy violation triggers. How should merchants determine whether a wireless PCI solution stands up to the test of security beyond checklist compliance? Is threat scanning 24 7 or is it only occasional spot scanning? PCI does not require 24 7 scanning, but continuous scanning is the best practice. Notably, the entire Target breach occurred over only 3 weeks that is a much briefer period than a quarter. Does the scan merely serve up raw data to compliance officers or does it filter out genuine threats so they can be mitigated? With too many alarms, it s natural to become desensitized, letting the human behavioral factors undermine your security and compliance posture. Is the solution capable of detecting all types of vulnerabilities? Can it identify various types of rogue APs? If it can only identify a few types of rogues (such as rogues with correlation between their wired and wireless MAC addresses so called MAC adjacency), how can you trust that report since there could be unidentified rogue APs connected to the CDE among the large number of APs detected during the scan? Is the solution capable of automatically containing the identified vulnerabilities? Although automatic mitigation is not a PCI requirement, in large nationwide deployments, automatic containment is a requirement for security. Automatic containment reduces the window of vulnerability. Moreover, automatic containment has to occur without false alarms which can disrupt legitimate operations.

5 Whitepaper 5 About Mojo Networks, Inc. Mojo Networks is redefining the modern WiFi platform. Imagine the scalability to set up millions of access points with a few clicks, all from your smartphone. Envision an Internet experience that engages users with your business to drive results. Stay secure on the same WiFi cloud powering major brands and the highest levels of government. And enjoy the cost savings of a cloud-first solution without the pricey markup of proprietary hardware. Welcome to the era of prolific connectivity. Founded in 2003, Mojo Networks (formerly known as AirTight Networks), serves customers in the Fortune 500, Global 2000 and large carriers around the world. Request a free demo of Mojo Cloud Managed WiFi Platform at Is the solution capable of full security operation at the store level without critical dependence on WAN links? The answer to these critical questions will determine if merchants can be fully armed to protect themselves either during a compliance audit or against a legitimate wireless threat. Mojo Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA T T F info@mojonetworks.com Mojo Networks and the Mojo Networks logo are trademarks, and Mojo is a registered trademark of Mojo Networks, Inc. All other trademarks mentioned herein are properties of their respective owners. Specifications are subject to change without notice.